<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<subsection-title-en>3.3 Software Attestation Overview</subsection-title-en>
<subsection-title-ch>3.3 软件证言概述</subsection-title-ch>
<p-en>
	The security of systems that employ trusted processors hinges on software attestation. The software running inside an isolated container established by trusted hardware can ask the hardware to sign (§3.1.3) a small piece of attestation data, producing an attestation signature. Asides from the attestation data, the signed message includes a measurement that uniquely identifies the software inside the container. Therefore, an attestation signature can be used to convince a verifier that the attestation data was produced by a specific piece of software, which is hosted inside a container that is isolated by trusted hardware from outside interference.
</p-en>
<p-ch>
	采用可信处理器的系统的安全性取决于软件证言。运行在由可信硬件建立的隔离容器内的软件可以要求硬件签名(§3.1.3)一小段证言数据，产生一个证言签名。除了证言数据外，签名的消息还包括一个唯一标识容器内软件的度量。因此，证言签名可用于使验证人相信证言数据是由一个特定的软件产生的，而该软件被托管在一个由可信硬件隔离的容器内，不受外界干扰。
</p-ch>
<p-en>
	Each hardware platform discussed in this section uses a slightly different software attestation scheme. Platforms differ by the amount of software that executes inside an isolated container, by the isolation guarantees provided to the software inside a container, and by the process used to obtain a container's measurement. The threat model and security properties of each trusted hardware platform follow directly from the design choices outlined above, so a good understanding of attestation is a prerequisite to discussing the differences between existing platforms.
</p-en>
<p-ch>
	本节讨论的每一个硬件平台都采用了略有不同的软件证言方案。平台的不同之处在于在隔离容器内执行的软件数量、为容器内的软件提供的隔离保证以及用于获取容器的度量的过程。每一个可信硬件平台的威胁模型和安全属性都是直接遵循上述的设计选择，因此，对证言的良好理解是讨论现有平台之间差异的前提。
</p-ch>
<subsubsection-title-en>3.3.1 Authenticated Key Agreement</subsubsection-title-en>
<subsubsection-title-ch>3.3.1 经鉴真的钥同意</subsubsection-title-ch>

<p-en>
	Software attestation can be combined with a key agreement protocol (§3.2.2), as software attestation provides the authentication required by the key agreement protocol. The resulting protocol can assure a verifier that it has established a shared secret with a specific piece of software, hosted inside an isolated container created by trusted hardware. The next paragraph outlines the augmented protocol, using Diffie-Hellman Key Exchange (DKE) [43] as an example of the key exchange protocol.
</p-en>
<p-ch>
	软件证言可与 钥同意协议(§3.2.2)相结合，因为软件证言提供了 钥同意协议 所要求的鉴真。由此产生的协议可以向验证者保证，它已经与一个特定的软件建立了共享秘密，该软件被托管在一个由可信硬件创建的隔离容器内。下一段将以Diffie-Hellman密钥交换(DKE)[43]作为密钥交换协议的例子，概述增强的协议。
</p-ch>
<p-en>
	The verifier starts executing the key exchange protocol, and sends the first message, g^A, to the software inside the secure container. The software inside the container produces the second key exchange message, g^B, and asks the trusted hardware to attest the cryptographic hash of both key exchange messages, h(g^A||g^B). The verifier receives the second key exchange and attestation signature, and authenticates the software inside the secure container by checking all the signatures along the attestation chain of trust shown in Figure 53.
</p-en>
<p-ch>
	验证者开始执行 钥交换协议，并向安全容器内的软件发送第一条消息g^A。容器内的软件产生第二条钥交换消息g^B，并要求受信任的硬件对两条钥交换消息的密码学散列h(g^A||g^B)进行证言。验证者收到第二条钥交换和证言签名，并通过检查图53所示的证言信任链上的所有签名，对安全容器内的软件进行鉴真。
</p-ch>
<img src="fig.53.jpg" width="" height="" alt="" />
<p-en>
	Figure 53: The chain of trust in software attestation. The root of trust is a manufacturer key, which produces an endorsement certificate for the secure processor's attestation key. The processor uses the attestation key to produce the attestation signature, which contains a cryptographic hash of the container and a message produced by the software inside the container.
</p-en>
<p-ch>
	图53: 软件证言中的信任链。信任的根源是 制造商钥，它为安全处理器的 证言钥 产生一个背书证书。处理器使用 证言钥 产生证言签名，该签名包含 容器的密码学散列 和 容器内软件产生的消息。
</p-ch>
<p-en>
	The chain of trust used in software attestation is rooted at a signing key owned by the hardware manufacturer, which must be trusted by the verifier. The manufacturer acts as a Certificate Authority (CA, §3.2.1), and provisions each secure processor that it produces with a unique attestation key, which is used to produce attestation signatures. The manufacturer also issues an endorsement certificate for each secure processor's attestation key. The certificate indicates that the key is meant to be used for software attestation. The certification policy generally states that, at the very least, the private part of the attestation key be stored in tamper-resistant hardware, and only be used to produce attestation signatures.
</p-en>
<p-ch>
	软件证言中使用的信任链以硬件制造商拥有的签名钥为基础，而硬件制造商必须得到验证者的信任。制造商作为一个证书权威（CA，§3.2.1），为其生产的每一个安全处理器提供一个独特的 证言钥，用来产生 证言签名。制造商还为每个安全处理器的 证言钥 颁发 背书证书。该证书表明，该钥是要用于软件证言的。认证政策一般规定，至少要将 证言钥 的私有部分存放在防篡改的硬件中，并且只能用于产生 证言签名。
</p-ch>
<p-en>
	A secure processor identifies each isolated container by storing a cryptographic hash of the code and data loaded inside the container. When the processor is asked to sign a piece of attestation data, it uses the cryptographic hash associated with the container as the measurement in the attestation signature. After a verifier validates the processor's attestation key using its endorsement certificate, the verifier ensures that the signature is valid, and that the measurement in the signature belongs to the software with which it expects to communicate. Having checked all the links in the attestation chain, the verifier has authenticated the other party in the key exchange, and is assured that it now shares a secret with the software that it expects, running in an isolated container on hardware that it trusts.
</p-en>
<p-ch>
	安全处理器通过存储 容器内装载的代码和数据的密码学散列值来识别每个隔离的容器。当处理器被要求签名一段 证言数据时，它使用与容器相关联的密码学散列作为 证言签名中的 度量。在验证者使用其 背书证书 验证处理器的 证言钥 后，验证者要确保签名是有效的，并且签名中的 度量 属于它期望与之通信的软件。在检查了证言链中的所有环节后，验证者已经对钥交换中的另一方进行了鉴真，并确信现在它与它所期望的软件共享一个秘密，该软件运行在它所信任的硬件上的一个隔离的容器中。
</p-ch>
<subsubsection-title-en>3.3.2 The Role of Software Measurement</subsubsection-title-en>
<subsubsection-title-ch>3.3.2 软件度量的作用</subsubsection-title-ch>

<p-en>
	The measurement that identifies the software inside a secure container is always computed using a secure hashing algorithm (§3.1.3). Trusted hardware designs differ in their secure hash function choices, and in the data provided to the hash function. However, all the designs share the principle that each step taken to build a secure container contributes data to its measurement hash.
</p-en>
<p-ch>
	标识安全容器内软件的 度量 总是使用安全散列算法计算的（§3.1.3）。可信硬件设计 在其安全散列函数的选择和提供给散列函数的数据上有所不同。然而，所有的设计都有一个共同的原则，即建立安全容器的每一步都会为其 度量散列 提供数据。
</p-ch>
<p-en>
	The philosophy behind software attestation is that the computer's owner can load any software she wishes in a secure container. However, the computer owner is assumed to have an incentive to participate in a distributed system where the secure container she built is authenticated via software attestation. Without the requirement to undergo software attestation, the computer owner can build any container without constraints, which would make it impossible to reason about the security properties of the software inside the container.
</p-en>
<p-ch>
	软件证言背后的理念是，计算机的所有者可以在一个安全容器中加载任何她想要的软件。然而，计算机所有者被假定为有动力参与一个分布式系统，在这个系统中，她建立的安全容器是通过 软件证言 被鉴真的。如果没有经过 软件证言 的要求，计算机所有者可以不受约束地构建任何容器，这将使人们无法推理容器内软件的安全属性。
</p-ch>
<p-en>
	By the argument above, a trusted hardware design based on software attestation must assume that each container is involved in software attestation, and that the remote party will refuse to interact with a container whose reported measurement does not match the expected value set by the distributed system's author.
</p-en>
<p-ch>
	通过上面的论证，基于 软件证言 的可信硬件设计必须假设每个容器都参与了软件证言，远程方会拒绝与 报告度量 与 分布式系统作者设定的预期值 不一致的容器进行交互。
</p-ch>
<p-en>
	For example, a cloud infrastructure provider should be able to use the secure containers provided by trusted hardware to run any software she wishes on her computers. However, the provider makes money by renting her infrastructure to customers. If security savvy customers are only willing to rent containers provided by trusted hardware, and use software attestation to authenticate the containers that they use, the cloud provider will have a strong financial incentive to build the customers' containers according to their specifications, so that the containers pass the software attestation.
</p-en>
<p-ch>
	例如，云基础设施提供商应该能够使用可信硬件提供的安全容器，在她的计算机上运行任何她想要的软件。然而，提供商通过向客户租用她的基础设施来赚钱。如果精通安全的客户只愿意租用由可信硬件提供的容器，并使用软件证言来鉴真他们使用的容器，那么云提供商将有很强的经济动机，按照客户的规格来构建客户的容器，使容器通过 软件证言。
</p-ch>
<p-en>
	A container's measurement is computed using a secure hashing algorithm, so the only method of building a container that matches an expected measurement is to follow the exact sequence of steps specified by the distributed system's author. The cryptographic properties of the secure hash function guarantee that if the computer's owner strays in any way from the prescribed sequence of steps, the measurement of the created container will not match the value expected by the distributed system's author, so the container will be rejected by the software attestation process.
</p-en>
<p-ch>
	容器的度量值是通过安全散列算法计算出来的，因此，建立一个与预期度量值相匹配的容器的唯一方法就是严格遵照分布式系统的作者所指定的步骤序列。安全散列函数的密码学特性保证了如果计算机的拥有者以任何方式偏离了规定的步骤序列，那么所建立的容器的度量值将不符合分布式系统作者的预期值，所以该容器将被软件证言过程所拒绝。
</p-ch>
<p-en>
	Therefore, it makes sense to state that a trusted hardware design's measurement scheme guarantees that a property has a certain value in a secure container. The precise meaning of this phrase is that the property's value determines the data used to compute the container's measurement, so an expected measurement hash effectively specifies an expected value for the property. All containers in a distributed system that correctly uses software attestation will have the desired value for the given property.
</p-en>
<p-ch>
	因此，说一个 可信硬件设计 的 度量方案 保证一个属性在安全容器中具有一定的值是有道理的。这句话的准确含义是，属性的值决定了用于计算容器度量值的数据，所以一个期望的度量散列有效地规定了属性的期望值。在一个正确使用软件证言的分布式系统中，所有的容器都将具有给定属性的期望值。
</p-ch>
<p-en>
	For example, the measuring scheme used by trusted hardware designed for cloud infrastructure should guarantee that the container's memory was initialized using the customer's content, often referred to as an image.
</p-en>
<p-ch>
	例如，为云基础设施设计的可信硬件所使用的度量方案应该保证容器的内存是使用客户的内容（通常被称为图像）初始化的。
</p-ch>

</body>
</html>	